Securing web browser communictaion

The default Model9 installation provides a self-signed web certificate. This certificate encrypts the web traffic passing between your browser and the Model9 management server.

It is strongly recommended to replace the Model9 self-signed certificate with a site-defined one in order to comply with the site standard security policy.

Follow these steps to replace the Model9 self-signed web certificate. Contact the security administrator to make sure the site's standard security policy is met.

1. Create a personal certificate and a private/public key pair for the management server.

2. Sign the personal certificate with your site's standard certificate authority (CA).

3. Import the personal certificate with its chain and private/public key pair into a PKCS12 file. Make sure to specify the file's password and the alias of the certificate within the p12 file.

4. Copy the PKCS12 file using binary mode into $MODEL9_HOME/keys/pkcs12_file.p12

5. Update the keystoreFile, keystorePass and keyAlias settings in the server configuration file by editing the $MODEL9_HOME/conf/connectorHttpsModel9.xml file, as shown in the following example:

<Connector
    port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150"
    SSLEnabled="true"
    keystoreFile="/model9/keys/pkcs12_file.p12"
    keystoreType="PKCS12"
    keystorePass="keystorePass"
    clientAuth="false"
    sslProtocol="TLS"
    keyAlias="keyAlias"
    secure="true"
/>

Java strictly follows the HTTPS specification for server identity (RFC 2818, Section 3.1) and IP address verification. When using a hostname, it is possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name. However, when using an IP address, there must be a Subject Alternative Name entry - IP address (and not a DNS name) - in the certificate

Last updated